From 8545f2a3202e5c154dc24e10610a92112fe75bbe Mon Sep 17 00:00:00 2001 From: Mark McGookin Date: Wed, 17 Jun 2020 18:39:33 +0100 Subject: [PATCH] Updated security > data-protection > configuration > overview.md to explain when using blob storage to store keys and azure keyvault to protect them. They key store blob xml file must already exist before running. This isn't clear from any of the other examples or documentation. (#18533) Co-authored-by: Mark McGookin --- .../data-protection/configuration/overview.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/aspnetcore/security/data-protection/configuration/overview.md b/aspnetcore/security/data-protection/configuration/overview.md index a1100b04d9..5115be504a 100644 --- a/aspnetcore/security/data-protection/configuration/overview.md +++ b/aspnetcore/security/data-protection/configuration/overview.md @@ -56,6 +56,24 @@ The `keyIdentifier` is the key vault key identifier used for key encryption. For * [ProtectKeysWithAzureKeyVault(IDataProtectionBuilder, String, String, X509Certificate2)](/dotnet/api/microsoft.aspnetcore.dataprotection.azuredataprotectionbuilderextensions.protectkeyswithazurekeyvault#Microsoft_AspNetCore_DataProtection_AzureDataProtectionBuilderExtensions_ProtectKeysWithAzureKeyVault_Microsoft_AspNetCore_DataProtection_IDataProtectionBuilder_System_String_System_String_System_Security_Cryptography_X509Certificates_X509Certificate2_) permits the use of a `ClientId` and [X509Certificate](/dotnet/api/system.security.cryptography.x509certificates.x509certificate2) to enable the data protection system to use the key vault. * [ProtectKeysWithAzureKeyVault(IDataProtectionBuilder, String, String, String)](/dotnet/api/microsoft.aspnetcore.dataprotection.azuredataprotectionbuilderextensions.protectkeyswithazurekeyvault#Microsoft_AspNetCore_DataProtection_AzureDataProtectionBuilderExtensions_ProtectKeysWithAzureKeyVault_Microsoft_AspNetCore_DataProtection_IDataProtectionBuilder_System_String_System_String_System_String_) permits the use of a `ClientId` and `ClientSecret` to enable the data protection system to use the key vault. +When using a combination of keyvault and azure storage to store and protect keys, a `System.UriFormatException` will be thrown if the blob to store the keys in does not already exist. This can be manually created ahead of running the application, or `.ProtectKeysWithAzureKeyVault()` can be removed for the first run to create the blob in place, then adding it on for subsequent runs. Removing `.ProtectKeysWithAzureKeyVault()` is advised, as this will ensure that the file is created with the proper schema and values in place. + +```csharp +var storageAccount = CloudStorageAccount.Parse("); +var client = storageAccount.CreateCloudBlobClient(); +var container = client.GetContainerReference(""); + +var azureServiceTokenProvider = new AzureServiceTokenProvider(); +var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback( + azureServiceTokenProvider.KeyVaultTokenCallback)); + +services.AddDataProtection() + //This blob must already exist before the application is run + .PersistKeysToAzureBlobStorage(container, "") + //Removing this line below for an initial run will ensure the file is created correctly + .ProtectKeysWithAzureKeyVault(keyVaultClient, ""); +``` + ::: moniker-end ## PersistKeysToFileSystem